1. The Field of the Invention
The present invention relates generally to authentication. More specifically, the present invention relates to challenge-based authentication mechanisms that do not require knowledge of secret authentication data.
2. Background and Relevant Art
Computing technology has transformed the way we work and play. Computing systems and devices (hereinafter also referred to simply as “computing entities”) now take a wide variety of forms including desktop computers, laptop computers, tablet PCs, Personal Digital Assistants (PDAs), household devices and the like. In its most basic form, a computing system includes system memory and one or more processors. Software in the system memory may be executed by the processor to direct the other hardware of the computing system to perform desired functions. In other computing entities, logic is implemented using hardware, or a combination or software and hardware.
Networking technologies enable computing entities to communicate even over vast distances, thereby expanding on computer functionality. For example, networking technologies enable such applications as e-mail, web browsing, file transfer, instant messaging, electronic whiteboarding, network collaboration, and the like. Accordingly, computer networks enable widespread communication and information access.
Unfortunately, computer networks also can potentially open up connected computing entities to security breaches. One type of security breach is for one computing system or user to make false claims about who they are to thereby access resources they should not have access to. In order to guard against this, an authenticatee computing entity (i.e., a computing entity that requires authentication) will often require an authenticator computing entity (i.e., a computing entity that must authenticate) to authenticate itself. The authenticatee computing entity may then make a more informed decision regarding how to interact with the authenticator computing entity.
One particularly useful form of authentication is often referred to as challenge/response authentication. In this form of authentication, when an authenticator computing entity (hereinafter also referred to as the “authenticator”) is to authenticate to an authenticatee computing entity (hereinafter also referred to as the “authenticatee”), the authenticatee sends a challenge to the authenticator. The authenticatee then generates a response (also referred to herein as an “answer”) to the challenge typically by applying a one-way hash algorithm to the challenge using secret data available to the authenticatee and authenticator. This secret data may be, for example, a password corresponding to the authenticator. The authenticator likewise also generates the same answer using the same hashing algorithm and using the same secret data. The authenticator then provides its answer to the authenticatee. The authenticatee then compares the answer that the authenticator generated with the answer that the authenticatee generated. If the answers match, then the authentication is successful. The challenge/response authentication is advantageous in that the secret data itself is not transmitted, and thus may not be intercepted.
However, this challenge/response authentication requires that the authenticator and authenticatee computing entities have access to the secret data used for authentication, and that the authenticator and authenticatee computing entities generate the answer. In some environments this may not be desirable. For example, many computing entities have limited processing power. The generation of an answer may degrade the performance of the computing entity by diverting processing power from other processes. Furthermore, the computing entities may not be themselves secure. Accordingly, an unauthorized entity might conceivably access the secret data and use that data to falsely authenticate.
Accordingly, what would be advantageous is a challenge/response authentication mechanism that does not require the authenticator and authenticatee computing entities to generate an answer or contain the secret data itself.